CVE-2025-36594
📋 TL;DR
An authentication bypass vulnerability in Dell PowerProtect Data Domain allows unauthenticated remote attackers to create accounts and bypass protection mechanisms. This affects systems running specific versions of Data Domain Operating System (DD OS), potentially exposing customer information and compromising system integrity and availability.
💻 Affected Systems
- Dell PowerProtect Data Domain
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing unauthorized access to sensitive data, account creation, and potential disruption of backup operations.
Likely Case
Unauthorized account creation leading to data exposure and potential lateral movement within the backup infrastructure.
If Mitigated
Limited impact if systems are isolated and access controls are properly implemented.
🎯 Exploit Status
Vulnerability allows unauthenticated remote exploitation with low complexity based on CVSS score and description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Dell advisory for specific patched versions
Vendor Advisory: https://www.dell.com/support/kbdoc/en-us/000348708/dsa-2025-159-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities
Restart Required: Yes
Instructions:
1. Review Dell advisory DSA-2025-159. 2. Download appropriate patch for your DD OS version. 3. Apply patch following Dell's update procedures. 4. Restart system as required.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to Data Domain systems to trusted networks only.
Use firewall rules to limit inbound connections to specific IP ranges.
🧯 If You Can't Patch
- Isolate vulnerable systems from untrusted networks and internet access.
- Implement strict network segmentation and monitor for unauthorized account creation attempts.
🔍 How to Verify
Check if Vulnerable:
Check DD OS version using 'version' command in Data Domain CLI and compare with affected versions.Check Version:
versionVerify Fix Applied:
Verify DD OS version is updated beyond affected ranges and test authentication mechanisms.📡 Detection & Monitoring
Log Indicators:
- Unexpected account creation events
- Failed authentication attempts followed by successful access
- Unusual login patterns from unknown IPs
Network Indicators:
- Unauthenticated requests to authentication endpoints
- Traffic patterns suggesting account creation
SIEM Query:
source="data_domain" AND (event_type="account_creation" OR auth_result="success") FROM unknown_ip